Copilot commented on code in PR #153:
URL: https://github.com/apache/solr-site/pull/153#discussion_r3375252379
##########
plugins/vex/vex.py:
##########
@@ -1,24 +1,108 @@
-import os
-import sys
+import glob
import json
-from re import sub
-from uuid import UUID, uuid5
+import os
from hashlib import md5
-from pelican import signals
-from jsonschema import validate
+from pathlib import Path
+from uuid import UUID, uuid5
+
import jsonref
+from jsonschema import ValidationError, validate
+from pelican import signals
+from strictyaml import load
+from strictyaml.ruamel import YAML
-def pelican_init(pelicanobj):
- with open('vex-input.json', 'r') as input:
- vex_input = json.loads(input.read())
+SCHEMA_DIR = Path(__file__).resolve().parent / 'schema'
+
+# Lazily loaded, ref-resolved JSON Schema for VEX Markdown front matter.
+_article_schema = None
+
+
+def article_schema():
+ """Load plugins/vex/schema/vex_article.schema.yaml, resolving its $ref into
+ bom-1.6.schema.json. Cached after the first call."""
+ global _article_schema
+ if _article_schema is None:
+ raw = (SCHEMA_DIR / 'vex_article.schema.yaml').read_text()
+ schema = YAML(typ='safe').load(raw)
+ _article_schema = jsonref.replace_refs(
+ schema, base_uri=SCHEMA_DIR.as_uri() + '/')
+ return _article_schema
+
+
+def vex_anchor(path):
+ """Unique per-entry anchor/slug derived from the source filename: the stem
+ without the leading 'YYYY-MM-DD-' date prefix and the '.md' extension.
+
+ Used both for the on-page anchors and as each VEX article's slug, because
+ titles repeat across entries (e.g. 'log4j-core') while filenames are
unique.
+ """
+ return os.path.basename(path)[11:-3]
- # Our own input format - feel free to change as needed,
- # but remember to also update this plugin and the templates in
- # /themes/solr/templates/security.html
- with open('plugins/vex/schema/vex-input.schema.json', 'r') as file:
- from pathlib import Path
- loaded = jsonref.load(file,
base_uri=Path('./plugins/vex/schema/base').absolute().as_uri())
- validate(vex_input, loaded)
+
+def split_front_matter(path):
+ """Return (front_matter, body) for a Markdown file with YAML front matter.
+
+ The front matter is the text between the leading '---' line and the next
+ '---' line. Returns (None, full_text) when the file has no front matter.
+ """
+ with open(path, 'r') as f:
+ text = f.read()
+ lines = text.splitlines()
+ if not lines or lines[0].strip() != '---':
+ return None, text
+ for i in range(1, len(lines)):
+ if lines[i].strip() == '---':
+ return '\n'.join(lines[1:i]), '\n'.join(lines[i + 1:])
+ return None, text
Review Comment:
`split_front_matter()` treats a file that starts with `---` but never closes
the YAML front matter as if it had no front matter, causing the VEX entry to be
silently skipped. This can lead to missing vulnerabilities in the generated VEX
output without an obvious build failure.
##########
themes/solr/static/css/base.css:
##########
@@ -1048,6 +1048,22 @@ ul li div.box div.img.logo-container.orange-background {
border: 1px solid #CCC;
}
+.cdx-exploitable {
+ color: #fff;
+ background-color: #d32f2f;
+}
+.cdx-not-affected {
+ color: #fff;
+ background-color: #388e3c;
+}
+.cdx-in-triage {
+ color: #fff;
+ background-color: #fbc02d;
+}
Review Comment:
`.cdx-in-triage` uses white text on a bright yellow background (`#fbc02d`),
which does not meet WCAG contrast requirements and is hard to read.
##########
themes/solr/templates/vex.html:
##########
@@ -0,0 +1,70 @@
+{% extends "page.html" %}
+
+{% block ng_directives %}x-ng-app-root="/solr"{% endblock %}
+{% block rss %}
+ <link rel="alternate" type="application/atom+xml" title="Solr security
announce feed"
+ href="/feeds/solr/security.atom.xml"/>{% endblock %}
+
+{% block content_inner %}
+ <div class="small-12 columns">
+
+ {# Renders the CVE / GHSA id(s) of an entry as NVD/GitHub links, or an
em dash if none. #}
+ {% macro render_ids(article) %}
+ {%- if article.cve is string -%}
+ <a href="https://nvd.nist.gov/vuln/detail/{{ article.cve
}}">{{ article.cve }}</a>
+ {%- elif article.cve -%}
+ {%- for id in article.cve -%}
+ {% if id.startswith('CVE') %}<a
href="https://nvd.nist.gov/vuln/detail/{{ id }}">{{ id }}</a>{% else %}{{ id
}}{% endif %}{%- if not loop.last %}, {% endif -%}
Review Comment:
The template comment says this renders CVE/GHSA IDs as NVD/GitHub links, but
GHSA identifiers are currently rendered as plain text (no link). This is also
inconsistent with the VEX JSON generation which links GHSA IDs to GitHub
advisories.
##########
plugins/vex/vex.py:
##########
@@ -64,19 +148,32 @@ def pelican_init(pelicanobj):
"vulnerabilities": vulns
}
# From https://github.com/CycloneDX/specification/tree/master/schema
Review Comment:
The VEX document is validated against the CycloneDX 1.6 schema
(`bom-1.6.schema.json`), but it currently self-identifies as `specVersion:
1.4`. This mismatch can confuse downstream consumers that rely on `specVersion`
when interpreting the document.
##########
content/solr/vex/2025-07-25-cve-2024-51504.md:
##########
@@ -0,0 +1,33 @@
+---
+cve: CVE-2024-51504
+jira: SOLR-17809
+category:
+ - solr/vex
+versions: "9.4.0–9.8.1"
+jars:
+ - zookeeper-3.9.0.jar
+ - zookeeper-3.9.1.jar
+ - zookeeper-3.9.2.jar
+analysis:
+ state: not_affected
+ justification: requires_configuration
+title: "Apache ZooKeeper: Authentication bypass with IP-based authentication
in Admin Server"
+---
+
+CVE-2024-51504 is **not** considered exploitable in typical **production**
deployments of Apache Solr (versions 3.4.0 to 3.8.1).
Review Comment:
The body text says the affected Solr versions are `3.4.0 to 3.8.1`, but the
front matter `versions` field is `9.4.0–9.8.1`. This looks like a copy/paste
error and makes the article internally inconsistent.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
